TL;DR
Yes, a 404 (or other error) page served without the X-Frame-Options header can be vulnerable to clickjacking. Attackers can trick users into clicking something different than they think by overlaying the error page in an iframe on their malicious site.
Understanding the Risk
Clickjacking exploits rely on deceiving a user into performing actions within a hidden frame. If your 404 page doesn’t prevent being loaded inside an iframe, it can be used for this purpose. Even though it’s just an error page, malicious actors could use it to:
- Harvest credentials if the page contains a login link (even if the login itself is on a separate secure page).
- Trick users into enabling browser features or permissions.
- Damage your site’s reputation by displaying misleading information.
How to Protect Your 404 Page
The primary defence against clickjacking is the X-Frame-Options HTTP response header. Here’s how to implement it:
1. Configure Your Web Server
You need to add the X-Frame-Options header to your web server’s configuration for your error pages (specifically, the 404 page). The exact method depends on your server.
Apache
Header always set X-Frame-Options "SAMEORIGIN"Add this line to your .htaccess file or your virtual host configuration. SAMEORIGIN means the page can only be framed by pages on the same domain.
Nginx
add_header X-Frame-Options "SAMEORIGIN";Add this line to your server block configuration file. Again, SAMEORIGIN is generally a good choice.
Microsoft IIS
Use the URL Rewrite module or configure custom headers in IIS Manager. Set the header name to X-Frame-Options and the value to SAMEORIGIN.
2. Content Security Policy (CSP)
While X-Frame-Options is simpler, CSP offers more control. You can use the frame-ancestors directive:
Content-Security-Policy: frame-ancestors 'self';This achieves the same result as X-Frame-Options SAMEORIGIN.
3. Test Your Configuration
Verify that your header is being sent correctly:
- Browser Developer Tools: Open your browser’s developer tools (usually F12). Go to the Network tab, reload your 404 page, and inspect the response headers. Look for
X-Frame-OptionsorContent-Security-Policy. - Online Header Checkers: Use a tool like SecurityHeaders.com to analyze your site’s headers.
4. Example Clickjacking Attempt (for demonstration)
An attacker might use code like this (simplified HTML):
<iframe src="https://yourdomain.com/404" style="border:none; width:100%; height:500px;"></iframe>Without X-Frame-Options, this iframe will load your 404 page. The attacker can then overlay it with other elements to trick the user.
Important Considerations
- All Error Pages: Don’t just protect your 404 page; consider protecting all error pages (500, etc.).
- Regular Audits: Periodically check your headers to ensure they remain in place and are correctly configured.